Update: An investigation revealed that “no hacks or any issues with Cream Finance smart contracts” were found. Reportedly, the issue emerged from the Alpha Finance side of the Iron Bank.
According to a tweet by Alpha Finance Labs, “The loophole has been patched,” with the protocol in the process of investigating the stolen funds. In fact, Alpha also revealed that they have a prime suspect already.
According to reports, Cream Finance has likely been exploited, with withdrawals from the Iron Bank temporarily being suspended as well. While details were sparse at press time, the protocol refused to clarify whether it had indeed been exploited. In fact, Cream Finance’s only update was that it is currently investigating a “potential exploit.”
We are aware of a potential exploit and are looking into this. Thank you for your support as we investigate.
— Cream Finance ? (@CreamdotFinance) February 13, 2021
Many in the crypto-community are speculating that the attackers in the present case made off with 13k ETH, with the figures amounting to over $23 million, at the time of writing.
The exploit reportedly involved arbing the Iron Bank contracts on Cream Finance. The contract address allegedly responsible for the attack was funded through Tornado Cash – a method commonly used by hackers to anonymously launder funds. Tornado Cash improves transaction privacy by breaking the on-chain link between the source and destination addresses.
On-chain data suggests that the address in question has started sending several ETH through Tornado Cash, in addition to 1000 ETH, to Alpha Homora Deployer, 1000 ETH to Cream Finance, and 100 ETH to Tornado’s grant.
As of six hours ago, the Cream Iron Bank had $6.1 billion of $AAVE locked, along with $1.07 billion of $CREAM.
The Iron Bank, which was launched as a part of CREAM v2, is intended to be CREAM’s paradigm-shifting protocol-to-protocol lending platform and liquidity backstop for the entire DeFi ecosystem.
The price of the $CREAM token dipped sharply as soon as the development first came to light. In fact, it fell by over 30% in one hour from $288 to $193, following news of the potential exploit.
This article will be updated…